Bch fast soft decoding beyond the (d-1)/2 bound

ABSTRACT

A method for Bose-Chaudhuri-Hocquenghem (BCH) soft error decoding includes receiving a codeword x, wherein the received codeword x has τ=t+r errors for some r≥1; computing a minimal monotone basis {λi(x)}1≤i≤r+1⊆F[x] of an affine space V={λ(x)∈F[x]:λ(x)·S(x)=λ′(x) (mod x2t), λ(0)=1, deg(λ(x)≤t+r}, wherein λ(x) is an error locator polynomial and S(x) is a syndrome; computing a matrix A≡(λj(βi))i∈[w],j∈[r+1], wherein W={β1, . . . , βw} is a set of weak bits in x; constructing a submatrix of r+1 rows from sub matrices of r+1 rows of the subsets of A such that the last column is a linear combination of the other columns; forming a candidate error locating polynomial using coefficients of the minimal monotone basis that result from the constructed submatrix; performing a fast Chien search to verify the candidate error locating polynomial; and flipping channel hard decision at error locations found in the candidate error locating polynomial.

TECHNICAL FIELD

Embodiments of the disclosure are directed to algorithms fordeterministically decoding Bose-Chaudhuri-Hocquenghem (BCH) codes withup to r errors beyond the (d−1)/2 hamming distance in error patternsthat occur with very high probability, which improve the raw bit errorrate (BER) coverage of BCH and soft-BCH (SBCH) codes.

DISCUSSION OF THE RELATED ART

A widely known and broadly used BCH soft decoding scheme due to Chasedeterministically decodes BCH codes by randomly flipping weak bits andthen performing full hard decision (HD) BCH decoding per flip. Otherprior-art fast Chase decoders use partial decoding per iteration, butthe decoder covers smaller range of error patterns. The fast Chase ofWu, et al., increased soft decoding capability in comparison to Chasesoft decoding, which offered an improvement over the classical HD BCHdecoder. However, the prior art algorithms require essentially t+roperations per iteration by processing entire error-locator-polynomial(ELP)-type polynomials, and can decode only when the number of weak bitsthat are errors≥r+1.

SUMMARY

Embodiments of the present disclosure provide methods of: (1) findingand proving a dimension bound to the linear space solutions of the(t+r)-key-equations; (2) Reduction of the core processing to a smallevaluation set that is linked to an r-size linear basis of the keyequations; (3) Vast computational sharing between iterations; and (4)Combinatorial ordering that govern the solution of related linearequations. Embodiments of the present disclosure afford complexityreduction when there are more errors in the set of weak bits.Embodiments of the present disclosure further provide soft decodingcapability beyond Wu's algorithm.

Algorithms according to embodiments of the present disclosure use roperations per iteration by passing from an evaluation set of a basis toELP-type polynomials, can decode when the number of weak bits that areerrors≥r−1, and provide a substantial reduction in complexity as thenumber of errors in the weak bits increases. A design according toembodiments of the disclosure enables decoding whenever the number ofweak bits that are errors≥r+1 and

${{r \cdot \begin{pmatrix}w \\{r + 1}\end{pmatrix}} \leq C},$

and also whenever the number of weak bits that are errors≥r−1 and

${{c \times n \times \begin{pmatrix}w \\r\end{pmatrix}} \leq C},$

where w is the number of weak bits, c>0, and C>0 is the complexitybudget.

According to an embodiment of the disclosure, there is provided acomputer-implemented method of Bose-Chaudhuri-Hocquenghem (BCH) softerror decoding, including receiving a codeword x through a communicationchannel, wherein the received codeword x has τ=t+r errors for some r≥1,wherein t=(d−1)/2 and d is a minimal distance of a BCH code; computing aminimal monotone basis {λ_(i)(x)}_(1≤i≤r+1)⊆F[x] of an affine spaceV={λ(x)∈F[x]:λ(x)·S(x)=λ′(x) (mod x^(2t)), λ(0)=1, deg(λ(x)≤t+r};wherein λ(x) is an error locator polynomial, S(x) is a syndrome, andF[x]=GF(q) wherein q=2^(m) for m>1; computing a matrixA≡(λ_(j)(β_(i)))_(i∈[w],j∈[r+1]), wherein W={β₁, . . . , β_(w)} is a setof weak bits in x; and processing for every subset W′⊆W by retrievingfrom memory a set W″=R(W′), computing B_(W′) by adding one row to B_(W″)and performing Gaussian elimination operations on B_(W′), wherein R(W′)is reliability probabilities of the bits in W′. When a first r′ columnsof B_(W′) are a transpose of a systematic matrix and deg(λ(x))=t+r′,wherein 1≤r′≤r, the method further includes performing computingu(x)=gcd(λ(x), λ′(x)), wherein λ′(x) is a derivative of λ(x); computingλ(Φ\W′) and deducting from it Z_(λ(x),Φ) whereinZ_(λ(x),Φ)={(β∈Φ:λ(β)=0}, when u(x) is a scalar in F*; adding a pair(λ(x), Z_(λ(x),Φ)) to set a L of all (r′, λ(x), Z_(λ(x),Φ))) such that1≤r′≤r, λ(x)∈V′_(r′), |Z_(λ(x),W)|≥r′+1, and Z_(λ(x),Φ)|=t+r′, when|Z_(λ(x),Φ)|=t+r′; and outputting the set L.

According to a further embodiment of the disclosure, the one row addedto B_(W″) is an arbitrary odd-square polynomial in the codeword x.

According to a further embodiment of the disclosure, the method includesforming the error locating polynomial from coefficients in the set L,and flipping channel hard decisions at error locations found in thereceived codeword.

According to a further embodiment of the disclosure, λ(x)∈V_(r′) isunique and λ(β)=0 for every β∈W′, when the first r′ columns of B_(W′)are a transpose of a systematic matrix.

According to a further embodiment of the disclosure, the method includesterminating the processing of W′ when deg(u(x))≥1.

According to a further embodiment of the disclosure, the method includesterminating the processing of W′ when the first r′ columns of B_(W′) arenot a transpose of a systematic matrix or deg(λ(x))≠t+r′.

According to a further embodiment of the disclosure, the methodincludes, before computing u(x)=gcd(λ(x),λ′(x)), computing, for everyr≥ρ≥r′+2 and a pair (W₁, λ₁(x)) such that λ(x)∈V′_(ρ) and W₁⊆W with|W₁|=ρ+1, wherein λ₁(x)∈V_(ρ) is a unique polynomial such that λ₁(W₁)=0,λ₁′(β) for every β in W₁.

According to a further embodiment of the disclosure, the method includesterminating the processing of W₁ when for any β in W₁, λ₁′(β)=0.

According to an embodiment of the disclosure, there is provided anon-transitory program storage device readable by a computer, tangiblyembodying a program of instructions executed by the computer to performmethod steps for a Bose-Chaudhuri-Hocquenghem (BCH) soft error decoding.The method includes receiving a codeword x through a communicationchannel, wherein the received codeword x has τ=t+r errors for some r≥1,wherein t=(d−1)/2 and d is a minimal distance of a BCH code; computing aminimal monotone basis {λ_(i)(x)}_(1≤i≤r+1)⊆F[x] of an affine spaceV={λ(x)∈F[x]:λ(x)·S(x)=X′(x)(mod x^(2t)), λ(0)=1, deg(λ(x)≤t+r}, whereinλ(x) is an error locator polynomial, S(x) is a syndrome, and F[x]=GF(q)wherein q=2^(m) for m>1; computing a matrixA≡(λ_(j)(β_(i)))_(i∈[w], j∈[r+1]), wherein W={β₁, . . . , β_(W)} is aset of weak bits in x; constructing a submatrix of r+1 rows from submatrices of r+1 rows of the subsets of A such that the last column is alinear combination of the other columns; forming a candidate errorlocating polynomial using coefficients of the minimal monotone basisthat result from the constructed submatrix; performing a fast Chiensearch wherein the candidate error locating polynomial is verified; andflipping channel hard decision at error locations found in the candidateerror locating polynomial and returning the decoded codeword x.

According to a further embodiment of the disclosure, constructing asubmatrix of r+1 rows from sub matrices of r+1 rows of the subsets of Asuch that the last column is a linear combination of the other columnsincludes processing for every subset W′⊆W by retrieving from memory aset W″=R(W′), computing B_(W′) by adding one row to B_(W″) andperforming Gaussian elimination operations on B_(W′), wherein R(W′) isreliability probabilities of the bits in W′. When a first r′ columns ofB_(W′) are a transpose of a systematic matrix and deg(λ(x))=t+r′,wherein 1≤t′≤r, the method includes performing computing u(x)=gcd(λ(x),λ′(x)), wherein λ′(x) is a derivative of λ(x); computing λ(Φ\W′) anddeducting from it Z_(λ(x),Φ) wherein Z_(λ(x),Φ)={β∈Φ:λ(β)=0}, when u(x)is a scalar in F*; adding a pair (λ(x), Z_(λ(x),Φ)) to set a L of all(r′, λ(x), Z_(λ(x),Φ)) such that 1≤r′≤r, λ(x)∈V′_(r′),|Z_(λ(x),W)|≥r′+1, and |Z_(λ(x),Φ)|=t+r′, when |Z_(λ(x),Φ)|=t+r′; andoutputting the set L.

According to an embodiment of the disclosure, there is provided acomputer memory-based product, including a memory; and a digital circuittangibly embodying a program of instructions executed by the computer toperform a method or a Bose-Chaudhuri-Hocquenghem (BCH) soft errordecoding.

According to a further embodiment of the disclosure, the memory is atleast one of a solid-state drive, a universal flash storage, or a DRAM.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart of an error decoding algorithm according to anembodiment of the disclosure.

FIG. 2 is a block diagram of a new architecture for implementing anerror decoding algorithm, according to an embodiment of the disclosure.

FIG. 3 is a block diagram of a system for implementing a newarchitecture for an error decoding algorithm according to an embodimentof the disclosure.

DETAILED DESCRIPTION Introduction—Part 1

Let m>1, q=2^(m), F=GF(q), d is minimal distance of the BCH code,t=(d−1)/2, and α be primitive elements of F. 1<n<2^(m) is the BCH codelength and k=n−2t is the code dimension. Consider a BCH code whoseevaluation set is A={α¹, . . . , α^(n)}, and parity check matrix isH=(α^(i·j) such that 1≤i≤2t, 1≤j≤n).

A codeword X=(x₁, . . . , x_(n))∈GF(2)^(n) was transmitted and a wordY=(y₁, . . . , y_(n))∈GF(2)^(n) is received. The error word ise=Y−X=(e₁, . . . , e_(n)) and E={α^(u) such that e_(u)=1} is the set oferror locations. The decoder computes a standard BCH syndrome: [S₀, . .. , S_(d-2)]T=H·Y=H·e, which is a vector in F^((d-1)). The syndromepolynomial is

S(x)=Σ_(0≤i≤d-2) S _(i) ·x ^(i).

The receiver tries at first to decode with the standard Berlekamp-Massey(BM) algorithm combined with a Chien search. If it fails it proceedswith a proposed fast soft decoding according to an embodiment of thedisclosure. Failing BM means that the received word has τ=t+r errors forsome r≥1. The set of errors locations is denoted by E₀={α₁, . . . ,α_(τ)}⊆A, where E₀ is unknown to the decoder. The following algorithmsucceeds whenever the number of errors is 1≤r′≤r. Initially the softdecoder observes a set W⊆A of weak bits. Typically w≡|W|<<n. The errorlocator polynomial (ELP) polynomial is defined by:

λ*(x)=Π_(1≤j≤t+r)(1−x·α _(j)).

Set E={1/β:β∈E₀}. For β∈F it holds that β∈E iff λ*(β)=0. The task of thefollowing soft decoding algorithm is to first find λ*(x) and then E.Evoking the BCH key equations, the following affine polynomial space isdefined:

V={λ(x)∈F[x] such that λ(x)·S(x)=λ′(x)(mod x ^(d-1)), andλ(0)=1,deg(λ(x))≤t+r},

and

U=V+λ*(x).

By the above λ*(x)∈V, and it has been proved that dim(U)=dim*(V)≤r, and

U={λ(x)∈F[x] such that λ(x)·S(x)=λ′(x)(mod x ^(d-1)), andλ(0)=0,deg(λ(x))≤τ}.

Note also that U=V+λ(x) for every λ(x)∈V.

When |E∩W|≥r+1, an algorithms according to an embodiment has complexity

${C\left( {w,r} \right)} = {{O\left( {r \cdot \begin{pmatrix}w \\{r + 1}\end{pmatrix}} \right)}.}$

W can be determined, e.g., by log-likelihood ratios, such that this willbe the common case. In fact, the larger |E∩W| is, the faster thealgorithm becomes.

Introduction—Part 2

Following the above notations, set m≥1, q=2^(m), F=GF(q), and let d=2t+1be the code minimal distance and t+r (t≥r≥1) the maximal number oferrors that ensuing algorithm can correct. This section provides anoverview of the BCH soft decoding procedure without the details of theECC and BCH context, without details of the building of the basis to V,and mathematical proofs.

In an embodiment, a false alarm (FA) means any processing, beyondminimal, of a polynomial, checked by the algorithm, which is not theactual ELP. In particular, it includes unnecessarily activating thecomputationally heavy Chien search. An algorithm according to anembodiment has a built in mechanism that minimizes the usage of Chiensearch and reduces other verifications when FA emerges. In particular analgorithm according to an embodiment foresees bursts of FAs and detectsthem with reduced complexity. Such FAs may result from an ELP withmultiple errors in the weak bits.

In a standard BCH soft decoding algorithm, called a Chase algorithm,each probe requires a Chien search, performed by q×t products, while analgorithm according to an embodiment requires O(r) products on average,a massive reduction. The proof of the low expected number of Chiensearch is based on two BCH probability bounds, known as probabilitybounds 1 and 2 (PB1, PB2), which state that a false alarm probability isupper bounded by q⁻¹, or even q^(−s), with s>1 in some cases ofinterest.

For N≥1, b(x)=Σ_(0≤k<N)b_(k)x^(k)∈F[x] is called odd-square if for all0≤k<(N−1)/2: b_(k) ²=b_(2k+1). In the following overview the main inputof an algorithm according to an embodiment is a random odd-squarepolynomial b(x)∈F[x]. This is a generalized form of a syndromepolynomial.

A polynomial B(x) can be transformed into to a binary vector. Forexample, if B(x)+1+x+x³+x⁵, the binary vector is 110101.

Note that a computation of the GCD (greatest common divisor) of twopolynomials of degree≤N with the Euclidean algorithm can be performedwith N² products.

A theoretical justification of the algorithms presented below isprovided in the Appendix that follows this Detailed Description.

Input

In this general setting the input of the algorithm is:

(1) b(x)∈F[x], an arbitrary odd-square polynomial—this is the binarycodeword;(2) integers (t, r, n, m) where 2^(m)>n>t≥r≥1, n>w≥r≥1 and F=GF(2^(m));(3) sets W⊆Φ⊆F* wherein F* is a finite field, such that n=|Φ| and w=|W|.

Here Φ stands for the evaluation set of the code, which is an auxiliarycalculation that assists in the decoding, and W for the weak bits asexplained below. The weak bits are those for which the probability ofbeing correct is low.

Setting, Notations, Processing Principle, and Running Memory

For 0≤r′≤r define:

V _(r′) ≡V _(2t,t+r′,b(x))≡{λ(x)∈F[x]:λ(x)·b(x)=λ′(x)(mod x^(2t)),deg(λ(x))≤t+r′,λ(0)=1},

V′ _(r′)={λ(x)∈F[x]:λ(x)·b(x)=λ′(x)(mod x ² t),deg(λ(x))=t+r′,λ(0)=1},

V≡V _(r),

and writeW={β₁, . . . , β_(W)}, where the β_(i) are the probabilities and indicesof the weak bits.Note that it can be assumed without loss of generality that dim(V)=r. ♦For every λ(x)∈F[x] and a set U⊆F, define

λ(U)={λ(β):β∈U},

Z _(λ(x),U) ={β∈U:λ(β)=0}.♦

Take 1≤r′≤r. Note that by the uniqueness lemma, if λ(x)εV_(r′) isseparable, and for Z⊆F, |Z|≥r′, Z is a zero set for λ(x), i.e.,λ(Z)={0}, then λ(x) is the only polynomial in V_(r′) for which Z is azero set. ♦

Definition. For Q⊆W define Q*={i∈[w]:β_(i)∈Q}.

Define

A≡(λ_(j)(β_(i)))_(i∈[w],j∈[r+1]′),

and for Q⊆W define A_(Q) to be the matrix obtained from A by omittingall rows that are not in Q* and B_(Q) is the unique reduced row echelon(RRE) matrix, also referred to as a semi systematic matrix, whose rowspace is equal to the row space of A_(Q).♦

A matrix B is called systematic if B=[I, C], i.e., B is theconcatenation of I and C into one matrix, where I the unit matrix. ♦

Set Ordering and the Processing Principle.

The subsets of W are ordered by a total order, <, typicallylexicographic, e.g. a depth first order, wherein for any W₁ and W₂,subsets of W such that |W_(i)|≤r+1, if W₁<W₂ then W₁ is processed beforeW₂. There is a mapping R such that for every W′⊆W, 1≤|W′|≤r+1 there isW″=R(W′)⊆W′, which is unique, with |W″|=|W′|−1, such that the followingholds:

(1) Running memory. For every W′⊆W and j≡|W′|≤r+1, the running memorystored before W′ is processed, contains {W_(W′(i)):i∈[j]} whereØ=W(0)<W′(1)<W′(2)< . . . <W′(j)=W′ and for i∈[j]: |W′(i)|=i, andR(W(i))=W(i−1), which implies that the running memory is very small.(2) Computation sharing. For every W′⊆W with |W′|≤r+1, when W′ isprocessed the decoder computes at first B_(W′). It is performed afterretrieving from memory the matrix B_(R(W′)), and then performing aminimal amount of delta Gaussian elimination operations to computeB_(W′). It takes an average of O(r) products per W′.

Output

An algorithm according to an embodiment is a list decoder, which is adecoder whose output a list of codewords. One codeword in the list isthe original valid codeword. The output is the set L, which is an arrayof codewords, of all (r′, λ(x), Z_(λ(x),Φ)) such that:

1≤r′≤r,λ(x)∈V′ _(r′) ,|Z _(λ(x),W) |≥r′+1, and |Z _(λ(x),Φ) |t+r′.

Steps

FIG. 1 is a flowchart of an error decoding algorithm according to anembodiment of the disclosure. Referring now to the figure, an algorithmaccording to an embodiment begins at step 101 by receiving a codeword x.

An algorithm according to an embodiment computes first, at step 102, aminimal monotone basis of V: {λ_(i)(x)}_(1≤i≤r+1)⊆F[x], and then, atstep 103, computes the matrix A defined above, and computes also:

{λ_(j)(β):β∈Φ\W,j∈[r+1]}.

Methods for computing the minimal monotone basis of V and the matrix Aare known in the art.

(ii) At step 104, an algorithm according to an embodiment goes throughevery set W′⊆W, with |W′|≤r+1, in accordance with the order <. WhenW′⊆W, with r′+1≡|W′|≤r+1, is processed the decoder retrieves from therunning memory W″=R(W′), which is read data and reliabilityprobabilities, and computes a basis B_(W′) by adding the polynomialvector b(x) as one row to B_(W″) and performing a minimal number ofGaussian elimination operations to yield a set of codewords. If, at step105, the first r′ columns of B_(W′) are a transpose of a systematicmatrix, there is an instant check that tells the decoder if there existsa unique λ(x)∈V_(r′) such that λ(β)=0 for every β∈W′. If the answer ispositive and, deg(λ(x))=t+r′, the following steps take place, otherwisethe processing of W′ ends at step 109, where the set L is output.

(s1) At step 106, apply the Euclidean algorithm to computeu(x)=gcd(λ(x),λ′(x)).(s2) At step 107, if u(x) is a scalar in F* (i.e, λ(x) is separable)compute λ(Φ\W′) (i.e. Chien search) and deduct from it Z_(λ(x),Φ),otherwise if deg(u(x))≥1 the processing of W′ ends at step 109.(s3) At step 108, if u(x) is a scalar and |Z_(λ(x),Φ)|=t+r′, the pair(λ(x), Z_(λ(x),Φ)) is added to L.

As mentioned above, this processing requires O (r) products on averageinstead of the standard O(r³) in a prior art scheme.

Comments and Further Reduction of False Alarm in Some Distinct Cases

(1) Following (i), in an algorithm according to an embodiment, thecomputation of λ(U) for λ(x)∈V_(r′) and a subset U⊆F, e.g. Chien searchwhen U=Φ, is done in a fast mode that requires r′ products for each β,instead of t+r′ in the standard method. This is due to the fact thatλ(x)−λ_(r+1)(x) is a linear combination of {λ_(i)(x)}_(1≤i≤r′)⊆F[x].(2) It follows from the Probability Bound 2 (PB2), described in theappendix below, that in BCH decoding, for W′⊆W, with |W′|=r′+s (s≥1) theprobability that there exists λ(x)∈V′_(r′) which is not the ELP suchthat λ(W′)={0}, is upper bounded by q^(−s)/(1−q⁻²). Observe that if s=1,then no product of λ(x) will appear again in the algorithm.(3) Suppose that s=a+1, where a≥1 and r≥r′+a+1=r′+s and there existsW′⊆W with |W′|=r′+s, and a separable λ(x)∈V′_(r′), such that λ(W′)={0}.Such event can be portrayed as an event of an overflow of zeros within Wper a polynomial in V, in comparison to its degree.(4) It follows from the supposition in (3) that for every 1≤b≤a suchthat: r′+2b≤r and r′+1+a+b≤w, take any mutually different β₁, . . . ,β_(b)∈W\W′, and define:

λ₁(x)≡(1−β₁ ·x)² . . . (1−β_(a) ·x)²·λ(x) and W ₁ ≡W′∪{β ₁, . . .,β_(a)}.

It holds that λ₁(x) might be processed, unnecessarily, by an abovealgorithm according to an embodiment as part of the handling of thesubset W₁. The likelihood of this unwanted occurrence follows from thefact that:

deg(λ₁(x))=t+r ²+2b,W ₁ ⊆W,|W ₁ |=r′+a+b+1,a≥b, and λ₁(W ₁)={0}.

While the incidence of (3) is very rare in the case that λ(x) is not anELP, (see (2) above), it can occur sometimes when λ(x) is ELP. Itdepends on the input of the algorithm. When (3) occurs, for someλ(x)∈V′_(r′), in an embodiment, the decoder performs the followingpreliminary step, (s0), prior to (s1) under the following condition withrespect to the minimal r′ that satisfies (3):

(s0) For every r≥ρ≥r′+2 and a pair (W₁, λ₁(x)) such that λ(x)∈V′_(ρ) andW₁⊆W with |W₁|=ρ+1, wherein λ₁(x)∈V_(ρ) is the unique polynomial suchthat λ₁(W₁)=0, the decoder computes λ₁′(β) for every β in W₁, and if forany β in W₁, λ₁′(β)=0, the processor ends the processing of W₁.♦

Observe that if λ₁′(β)=0 for some β in W₁ then λ₁(x) is not separable.Note also that the computation of λ₁′(β) requires only (t+ρ)/2 products.

Overview

A decoding system according to an embodiment is shown in FIG. 2 .According to an embodiment, denote by x={x_(i)}_(i=1) ^(n) the (n, k, d)BCH code word, where x_(i)∈GF(2), k is the code dimension, n is the codelength and d is the BCH code minimal distance. The codeword istransmitted through a channel 10 with independent and identicallydistributed transition probability P(z|x), where z∈

and x∈GF(2). The hard decision decoder 11 receives the channel outputand decodes a codeword {circumflex over (x)}. Denote the log likelihoodratio of symbol i given the channel value z_(i) as

${R_{i} = {\log\left( \frac{P\left( {{z_{i}❘x} = 0} \right)}{P\left( {{z_{i}❘x} = 1} \right)} \right)}},$

and y as the channel hard decision, where

$y_{i} = \left\{ {\begin{matrix}0 & {{LLR}_{i} \geq 0} \\1 & {o.w.}\end{matrix}.} \right.$

A classic BCH decoder 12 is applied to y. If |{j|x_(j)≠y_(j) for|≤i≤n}|>t, where

${t = \left\lfloor \frac{d - 1}{2} \right\rfloor},$

the classic BCH decoder fails and a BCH soft decoder 13 according to anembodiment is applied.

According to an embodiment, an overview of a BCH soft decoder algorithmis as follows.

Input: z, y Output: {circumflex over (x)}

1. Find a set of w weak bits locations (lowest likelihood ratio):

W={β _(i)}_(1≤i≤w),β_(i)=α^(j) ^(i) ,j _(i)∈[0,n−1].

2. Solution to t+r key equation forms an r dimensional affine space.Find a monotone affine basis: Λ={λ₁(x) . . . λ_(r+1)(x)}.In high probability, the ELP is given as affine combination of thisbasis:

λ(x)=b ₁·λ₁(x)+b ₂·λ₂(X)+ . . . b _(r)·λ_(r)(x)+λ_(r+1)(x).

3. Look efficiently for r+1 from w locations that zero the ELPpolynomial with some coefficients {b_(i)}_(1≤i≤r):a. Compute the solution matrix:

$A = {\left\{ {a_{ij} = {\lambda_{j}\left( \beta_{i} \right)}} \right\}_{{1 \leq i \leq w},{1 \leq j \leq {r + 1}}} = \begin{bmatrix}a_{1,1} & \cdots & a_{1,{r + 1}} \\ \vdots & \ddots & \vdots \\a_{w,1} & \cdots & a_{w,{r + 1}}\end{bmatrix}}$

b. Go over all combination of sub matrices of r+1 rows of the subsets ofA, to find submatrix of r+1 rows such that the last column is a linearcombination of the other columns. This part receives the coefficients ofthe affine base b and r+1 error locations. This is the main part of thealgorithm and it is described in detail above in steps (ii), s1, s2 ands3.Computation sharing reduces the complexity of each check from O(r³) toO(r).c. Form the candidate ELP using the resulting coefficients.4. Fast Chien search to verify the candidate ELP and error locations.5. Flip the channel hard decision at the error locations found in step 3and return the decoded word {circumflex over (x)}.

System Implementations

It is to be understood that embodiments of the present disclosure can beimplemented in various forms of hardware, software, firmware, specialpurpose processes, or a combination thereof. In one embodiment, thepresent disclosure can be implemented in hardware as anapplication-specific integrated circuit (ASIC), or as a fieldprogrammable gate array (FPGA). In another embodiment, the presentdisclosure can be implemented in software as an application programtangible embodied on a computer readable program storage device. Theapplication program can be uploaded to, and executed by, a machinecomprising any suitable architecture.

In addition, methods and implementations of embodiments of thedisclosure can be used or incorporated into any memory-based product,such as a solid-state drive (SSD), universal flash storage (UFS)products, DRAM modules, etc.

FIG. 3 is a block diagram of a system for implementing an erasurecorrection algorithm that uses a neural network to perform matrixinversion, according to an embodiment of the disclosure. Referring nowto FIG. 3 , a computer system 31 for implementing the present disclosurecan comprise, inter alia, a central processing unit (CPU) or controller32, a memory 33 and an input/output (I/O) interface 34. The computersystem 31 is generally coupled through the I/O interface 34 to a display35 and various input devices 36 such as a mouse and a keyboard. Thesupport circuits can include circuits such as cache, power supplies,clock circuits, and a communication bus. The memory 33 can includerandom access memory (RAM), read only memory (ROM), disk drive, tapedrive, etc., or a combinations thereof. The present disclosure can beimplemented as a routine 37 that is stored in memory 33 and executed bythe CPU or controller 32 to process the signal from the signal source38. As such, the computer system 31 is a general purpose computer systemthat becomes a specific purpose computer system when executing theroutine 37 of the present disclosure. Alternatively, as described above,embodiments of the present disclosure can be implemented as an ASIC orFPGA 37 that is in signal communication with the CPU or controller 32 toprocess the signal from the signal source 38.

The computer system 31 also includes an operating system and microinstruction code. The various processes and functions described hereincan either be part of the micro instruction code or part of theapplication program (or combination thereof) which is executed via theoperating system. In addition, various other peripheral devices can beconnected to the computer platform such as an additional data storagedevice and a printing device.

It is to be further understood that, because some of the constituentsystem components and method steps depicted in the accompanying figurescan be implemented in software, the actual connections between thesystems components (or the process steps) may differ depending upon themanner in which the present disclosure is programmed. Given theteachings of the present disclosure provided herein, one of ordinaryskill in the related art will be able to contemplate these and similarimplementations or configurations of the present disclosure.

While the present disclosure has been described in detail with referenceto exemplary embodiments, those skilled in the art will appreciate thatvarious modifications and substitutions can be made thereto withoutdeparting from the spirit and scope of the disclosure as set forth inthe appended claims.

APPENDIX 1. Analysis of the BCH Key Equations I: Beyond the (D−1)/2Radius, and the Dimension Equality 1.1 Introduction

Here F=GF(2^(m)), m>1 and the empty sum is zero.

Definition 1:

(i) For an n dimensional vector space V over F and subspace U⊆V, and v∈Vwe define the dimension of the affine space v+U to be n, and write:

dim* _(F)(v+U)=n.

(ii) For L≥N≥1, and b(x)=Σ_(0≤k<N)b_(k)x^(k),c(x)=Σ_(0≤k<L)c_(k)x^(k)∈F[x] we would denote b(x)≤c(x) if for all 0≤k<Nit holds that c_(k)=b_(k).Lemma 1. Take λ(x)∈F[x], where X(0)=1. Let K be an extension field of Fthat contains all λ(x) roots. Represent λ(x) by:λ(x)=Π_(1≤j≤s)(1−x·α_(j))^(r(j)) where α₁, . . . , α_(s)∈K* are mutuallydifferent and r(j)≥1. Then the following equality holds:

λ′(X)/λ(x)=Σ_(1≤j≤s,r(j) is odd) α_(j)·/(1−x·α _(j)).

Proof. We can write λ(x)=β²(x)·Π_(1≤j≤s, r(j) is odd) (1−x·α_(j)) whereβ(x)∈K[x]. In other words, every polynomial can be represented uniquelyas a product of a square polynomial and α polynomial with roots ofmultiplicity 1. It then holds that

λ′(x)=β²(x)·Σ_(1≤j≤s,r(j) is odd) α_(j)·Ø_(1≤v≤s,r(v) is odd,v≠j)(1−x·α_(v)),

and hence:

λ′(x)/λ(x)=Σ_(1≤j≤s,r(j) is odd) α_(j)·/(1−x·α _(j)).♦

Lemma 2. Take λ(x)∈F[x] with λ(0)=1, andb(x)=Σ_(0≤j≤N-1)b_(j)x^(j)∈F[x]. Let K be an extension field of F thatcontains all λ(x) roots. Represent λ(x) by:λ(x)=Π_(1≤j≤s)(1−x·α_(j))^(r(j)) where α₁, . . . , α_(s)∈K* are mutuallydifferent and r(j)≥1. Then

λ(x)·b(x)=λ′(x)(mod x ^(N)) iff  (1)

b _(k)=Σ_(1≤j≤s,r(j) is odd) α_(j) ^(k+1) for all 0≤k≤N−1.

  (2)

Note that here we do not assume anything on the degrees of λ(x) andb(x), not even s≤N. Thus it holds even when b(x)=0. Note also that when(2) holds then for 0≤k<(N−1)/2: b_(k) ²=b_(2k+1).

Proof. Since λ(0)=1, λ(x)·b(x)=λ′(x)(mod x^(N)) is equivalent tob(x)=λ′(x)/λ(x (mod x^(N)) which is equivalent to:

Σ_(0≤k<N) b _(k) x ^(k)=λ′(x)/λ(x)(by lemma 1)

=Σ_(1≤j≤s,r(j) is odd) γ_(j)·/(1−x·α _(j))(mod x ^(N))

=Σ_(1≤j≤s,r(j) is odd) Σ_(0≤k) x ^(k)·α_(k) ^(k+1)(mod x ^(N))

=ρ_(0≤k≤N-1) x ^(l)·Σ_(1≤j≤s,r(j) is odd) α_(j) ^(k+1)(mod x ^(N)),

and this is equivalent to b_(k)=Σ_(1≤j≤s, r(j) is odd) for all 0≤k<N−1.♦

The following lemma enables us to skip the even iterations in the BCHBerlekamp Massey algorithm.

Lemma 3. Let λ(x)∈F[x], λ(0)=1. Suppose that N is odd and M=(N−1)/2 andthat b(x)=Σ_(0≤k≤N)b_(k)x^(k), satisfies b_(M) ²=b_(N) and

λ(x)·b(x)=λ′(x)(mod x ^(N)).

It then holds that the coefficient of x^(N) in λ(x)·b(x) is zero and

λ(x)·b(x)=λ′(x)(mod x ^(N+1)).

Proof. Let K be an extension field of F that contains all λ(x) roots.Represent λ(x) by: λ(x)=Π_(1≤j≤s)(1−x·α_(h))^(r(j)) where α₁, . . . ,α_(s)∈K* are mutually different and r(j)≥1. By lemma 2

b _(k)=Σ_(1≤j≤s,r(j) is odd) α_(j) ^(k+1) for all 0≤k≤N−1.

In addition,

b _(N) =b _(M) ²=(Σ_(1≤j≤s,r(j) is odd) α_(j)^(M+1))²=Σ_(1≤j≤s,r(j) is odd) α_(j) ^(2M+2)=Σ_(1≤j≤s,r(j) is odd) α_(j)^(N+1).

It follows that b_(k)=Σ_(1≤j≤s, r(j) is odd) α_(j) ^(k+1) for all 0≤k≤N.Thus by the other direction of lemma 2: λ(x)·b(x)=λ′(x) (mod x^(N+1)).Since all the odd coefficients of λ′(x) are zero, the coefficients ofx^(N) in λ′(x) is zero and hence the coefficients of x^(N) in λ(x)·b(x)is zero.♦

1.2 Definitions

Definition 2. For N≥1, and b(x)=Σ_(0≤k<N)b_(k)x^(k)∈F[x], b(x) isodd-square if for all 0≤k<(N−1)/2: b_(k) ²=b_(2k+1).Definition 3. For Σ,N,L,≥1, and b(x)=Σ_(0≤k<L)b_(k)x^(k)∈F[x], define

V _(N,τ,b(x))={λ(x)∈F[x]: λ(x)·b(x)=λ′(x)(mod x^(N)),deg(λ(x))≤τ,λ(0)=1}

U _(N,τ,b(x))={λ(x)∈F[x]: λ(x)·b(x)=λ′(x)(mod x ^(N)),deg(λ(x))≤τ}

V _(N,τ,b(x),0)={λ(x)∈F[x]: λ(x)·b(x)=λ′(x)(mod x^(N)),deg(λ(x))≤Σ,λ(0)=0}

U _(N,b(x))={λ(x)∈F[x]: λ(x)·b(x)=λ′(x)(mod x ^(N))}

It is clear that either V_(N,τ,b(x))=Ø ordim*(V_(N,τ,b(x)))=dim(U_(N,τ,b(x)))−1. By the above lemma that ifV_(N,τ,b(x))≠Ø for some τ and L≤N then b(x) is odd-square. Note that ifV_(N,τ,b(x)) is not empty and λ(x) is any element of V_(N,τ,b(x)) then

λ(x)+V _(N,τ,b(x),0) =V _(N,τ,b(x))

which implies that when V_(N,τ,b(x))≠Ø,

dim*(V _(N,τ,b(x)))=dim(V _(N,τ,b(x),0)).

1.3 The Dimension Bound 1 & 2

Lemma 4 (Dimension Bound 1). Let τ≥1 and L>N≥1 where N and L are evenand b(x)∈F[x] is odd-square, b(x)=Σ_(0≤k<L)b_(k)x^(k). Then, ifV_(L,Σ,b(x)≠Ø,)

dim*(V _(N,τ,b(x)))−dim*(V _(L,τ,b(x)))≤(L−N)/2.

Proof. For M≥1 set V_(M)≡V_(M,τ,b(x)). It will be shown by induction oneven s∈{0, 1, . . . , L−N} that

dim*(V _(N))−dim*(V _(N+s))≤s/2.

For s=0: take even 0≤s<L−N, and M=N+s and λ(x)∈V_(M) and observe thatthe M coefficient of p(x)=λ(x)·b(x)−λ′(x) is

Σ_(0≤j≤τ)λ_(j) ·b _(M−j)+λ_(M+1).

Thus V_(M+1)={λ(x)∈V_(M):λ_(M+1)+Σ_(0≤j≤τ) λ_(j)·b_(N−j)=0}, i.e.V_(M+1) is (nonempty) affine space which is obtained from V_(M) by oneadditional linear homogeneous equation. It follows thatdim*(V_(M))≤dim*(V_(M+1))+1. Next, by the previous lemma whenλ(x)·b(x)=λ′(x)(mod x^(M+1)) then

λ(x)·b(x)=λ′(x)(mod x ^(M+2)).

And hence V_(M+1)=V_(M+2). Thus shown thatdim*(V_(N+s))≤dim*(V_(N+s+2))+1♦As a corollary we get that:Lemma 5 (Dimension Bound 2). Take τ≥1, L=2τ, and L≥N≥1 where N is even,and b(x)∈F[x] is odd-square, b(x)=Σ_(0≤k<L)b_(k)x^(k). If there exists aseparable σ(x)∈V_(L,τ,b(x)) such that deg(σ(x))=τ, then:

dim*(V _(N,τ,b(x)))≤(L−N)/2.

Proof. This lemma follows from the previous lemma and from a claim that

(*)V≡V _(L,τ,b(x)))={σ(x)}, i.e. dim*(V _(L,τ,b(x)))=0.

To prove (*) take any λ(x)∈V and let K be an extension field of F thatcontains all the roots of σ(x) and λ(x). We can then represent

λ(x)=Π_(1≤j≤s)(1−x·α _(j))^(r(j))

where s≤τ and α₁, . . . , α_(s)∈K* are mutually different and r(j)≥1 andr(1)+42)+ . . . +r(s)≤τ, and,

σ(x)=Π_(1≤j≤r)(1−x·β _(j))

where β₁, . . . , β_(r)∈K* are mutually different. Define A to be thesymmetric difference of {β₁, . . . , β_(τ)} and {α_(j):j∈[s], r(j) isodd} [the symmetric difference of two sets is the set of elements whichis one of the sets and not in their intersection]. By lemma 2:

Σ_(1≤j≤τ),β_(j) ^(k+1) =b _(k)=Σ_(1≤j≤s,r(j) is odd) α_(j) ^(k+1) forall 0≤k≤L−1.

That is:

0=Σ_(1≤j≤τ),β_(j) ^(k+1)+Σ_(1≤j≤s,r(j) is odd) α_(j)^(k+1)=Σ_(α∈A)α^(k+1) for all 0≤k≤L−1.

Note that |A|≤s+τ≤2τ, thus if A≠Ø we get a contradiction since thisyields a linear dependency of the columns of a (2τ)×|A| Vandermondematrix. Therefore A=Ø and hence λ(x)=σ(x)♦

1.4 Uniqueness Lemma 1 (UL1)

Note that the following lemma uses the fact that F has characteristic 2.

Lemma 6:

I. For every λ(x)∈F[x] such that λ(0)=1. There then exists exist uniquepolynomials λ₁(x),u(x)∈F[x], such that:

λ₁(x)·u ²(x)=λ(x) and λ₁(0)=u(0)=1 and λ₁(x) is separable.

II. Suppose that λ(x), b(x)∈F[x] satisfy:

λ(x)·b(x)=λ′(x)(mod x ^(N)) and with λ(0)=1,

and let λ₁(x),u(x)∈F[x], be the unique polynomials λ₁(x),u(x)∈F[x], suchthat:

λ₁(x)·u ²(x)=λ(x) and λ₁(0)=u(0)=1 and λ₁(x) is separable,

then

λ₁(x)·b(x)=λ₁′(x)(mod x ^(N)) and λ(0)=1.

III. Take τ, N≥1, and b(x)∈F[x], and suppose that there is a uniqueλ(x)∈F[x] such that:

λ(x)·b(x)=λ′(x)(mod x ^(N)) and λ(0)=1 and deg(λ(x))≤τ.

Then λ(x) is separable.

Proof.

I. There exist unique λ₁(x),u(x)∈K[x], in some extension field K, suchthat:

λ₁(x)·u ²(x)=λ(x) and λ₁(0)=u(0)=1.

Since u²(x), gcd(λ(x), λ′(x)) and the gcd is computed by the Euclideanalgorithm, then u²(x)∈F[x] and hence λ₁(x) and u(x) must be in F[x] (andnot only in the extension ring K[x]).II. It follows from the assumptions of II that:

λ₁(x)·u ²(x)·b(x)=(u ²(x)·λ₁(x))′(mod x ^(N))=u ²(x)·λ₁′(x)(mod x ^(N)).

Dividing both sides by u²(x), we get that:

λ₁(x)·b(x)=λ₁′(x)(mod x ^(N)).

III. Let λ₁(x),u(x)∈F[x], be the unique polynomials λ₁(x),u(x)∈F[x],such that:

λ₁(x)·u ²(x)=λ(x) and λ₁(0)=u(0)=1 and λ₁(x) is separable.

Then by II

λ₁(x)·b(x)=λ₁′(x)(mod x ^(N)) and λ(0)=1, and clearly: deg(λ₁(x))≤τ,

and hence by the uniqueness u(x)=1 and thus λ₁(x)=λ(x). It follows thatλ(x) is separable♦

1.5 A Fundamental Rule of Nonhomogeneous Linear Equations

For completeness sake the following known fact is presented.

Fact. Let A be M×(N+1) matrix over a field K (a general field with anycharacteristic), and B the (M+1)×N matrix over K obtained from A byadding one additional row, called v, at the bottom ofA. If for every x∈R≡{x=[x₁, . . . , x_(N),x_(N+1)]_(T)∈K^(N+1):x_(N+1)=1} it holds that

Ø≠V≡{x∈R:A·x=0}={x∈R:B·x=0}≡V′,

then v is in the row space of A.Proof. Let

U={x=[x ₁ , . . . ,x _(N) ,x _(N+1)]^(T) ∈K ^(N+1) :x _(N+1)=0,A·x=0}(the set of solutions to homogeneous equations)

U′={x=[x ₁ , . . . ,x _(N) ,x _(N+1)]^(T) ∈K ^(N+1) :x _(N+1)=0,B·x=0},

C* the matrix obtained from the matrix C by omission of the last column(including the case where C comprises one row).

Since Ø≠V′=V then U′=U. It follows that v*=u·A* for some u, a row vectorin K^(M). Put w=v−u·A, then

w=[0, . . . ,0,ξ] for some ξ∈K,

and w is in the row space of B, and hence for all x∈V′: w·x=0, thus w=0,which implies that v is in the row space of A. ♦

1.6 The Dimension Equality

Lemma 7 (The Dimension Equality) Take τ≥1, L=2τ, and L≥N≥1 where N iseven, and b(x)=Σ_(0≤k<L)b_(k)x^(k)∈F[x] is odd-square. If there exists aseparable σ(x)∈V_(L,τ,b(x)) such that deg(σ(x))=τ, then:

dim*(V _(N,τ,b(x)))=(L−N)/2.

Proof. For i≥1 write, V_(i)≡V_(i,τ,b(x)). Recall that by lemma 5dim*(V_(N))≤(L−N)/2. For N∈[L] and λ(x)=Σ_(0≤j≤τ) λ_(j)x^(j)∈F[x] suchthat λ₀=1, it holds that: λ(x)∈V_(N) iff

λ(x)·b(x)=λ′(x)(mod x ^(N)),  (1)

This is equivalent to:

i linear equation L _(i)≡Σ_(0≤j≤i)λ_(j) ·b _(i−1)+(i+1)·λ_(i+1)=0 forall 0≤i≤N−1 (we define λ_(j)=0 for j>τ).  (2)

Note that the i linear equation is independent of N. By lemma 3 abovewhen N∈{L−1} is odd, then

λ(x)·b(x)=λ′(x)(mod x ^(N)) implies λ(x)·b(x)=λ′(x)(mod x ^(N+1)).

Thus, by the fact above, the formal linear equation L_(N) is linearlydependent on the formal linear equations L₁, . . . , L_(N−1) (seen as avector of coefficients in F^(τ+1)) over F. It follows that (1) isequivalent to:

L _(i):Σ_(0≤j≤i)λ_(j) ·b _(i−1) +i·λ _(i+1)=0 for all even i∈{0, . . .,N−1}.  (3)

By lemma 5 above V_(L)={σ(x)}, i.e. dim*(V_(L))=0. Thus when we put in(3) N=L we get that {L_(i):i∈{0, 2, 4, . . . , L−2}} is an independentset of τ formal linear equations in τ unknowns. Thus for even N∈{L} weget V_(N) is the set of solutions of {L_(i):i∈{0, 2, . . . , N−2}}.Hence, we reduced the number of independent linear equations by (L−N)/2and therefore dim(V_(N))=(L−N)/2.♦

Comment. This proof is also an alternative proof to the uniqueness lemma2 below.♦

1.7 Example Related to the Dimension Equality We had

L _(i):≡Σ_(0≤j≤i)λ_(j) ·b _(i−1)+(i+1)·λ_(i+1)=0 for all 0≤i≤N−1 (wedefine λ_(j)=0 for j>τ).

Therefore

L ₀:≡λ₀ ·b ₀+λ₁ =b ₀+λ₁=0,

L ₁:≡λ₀ ·b ₁+λ₁ ·b ₀ =b ₁+λ₁ ·b ₀=0.

Note that b₁+λ₁·b₀=b₀ ²+λ₁·b₀=b₀·(b₀+λ₁), thus L₁ is linearly depends onL₀.

1.8 Applying the Dimension Equality to the Syndrome Polynomial of BCH

Let t≤r≤1 d=2t+1, n>k≥1, where n*−k*=d, and consider an [n*,k*] BCHcode, and a transmitted codeword has τ=t+r errors that are located atE={α₁, . . . , α_(τ)}⊆F*. Set E′={1/β:β∈E₀}. Define for 0≤k≤2τ−1 thesyndromes:

S _(k)=Σ_(1≤j≤t+r),α_(j) ^(k+1) for all 0≤k≤2τ−1.

The decoder knows the syndromes {S_(k)}_(0≤k≤d-2). Define the syndromepolynomial:

S(x)=Σ_(0≤j≤2τ-1) ,S _(k) ·x ^(k),

and define the ELP:

λ*(x)=Π_(1≤j≤τ)(1−x·α _(j))∈[x].

By lemma 2:

λ*(x)·S(x)=λ*′(x)(mod x ^(2τ)).

Thus by lemma 7 the affine space V_(2τ,τ,S(x)) has dimension 0 and,

(*1) the affine space V=V_(2t,τ,s(x)) has dimension r.

In the following section, this (low) dimension of V plays a role inenabling low complexity. Note that

V={λ(x)∈F[x]:λ(x)·S(x)=λ′(x)(mod x ^(2t)),λ(0)=1 deg(λ(x)≤τ}.

The decoder “knows” this space and can find a basis to it.

2. Analysis of the BCH Key Equations II 2.1 Polynomial Divisions for KeyEquations Solutions

The recurrence order of (λ(x),σ(x))∈F[x]², denoted by ord(λ, σ), isdefined as

ord(λ,σ)=max{degλ,1+degσ}.

Lemma 8.

I. Take even N≥1 λ(x), γ(x),b(x)∈F[x], b(x)=Σ_(0≤k≤N-1)b_(k)x^(k), andsuppose:

λ(0)=1  (1)

λ(x)·b(x)=γ(x)(mod x ^(N)).  (2)

ord(λ,γ)≤N/2,  (3)

and (λ(x),γ(x)) is the pair with minimal order for which (1)-(3) holds.It then holds that gcd(λ(x),γ(x))=1. Take now σ(x), ω(x), ∈F[x], be suchthat the same holds:

σ(0)=1  (1)

σ(x)·b(x)=ω(x)(mod x ^(N)).  (2)

ord(σ,ω)≤N/2.  (3)

There then exists c(x)∈F[x] such that c(0)=1, deg(c(x))>1 andσ(x)=λ(x)·c(x) and ω(x)=γ(x)·c(x).II. If we add the assumption that:

X′(x)=γ(x) and σ′(x)=ω(x),  (4)

it then holds there exists u(x)∈F[x], such that u(0)=1 and c(x)=u(x)².[II. follows also from I. and lemma 10 below].III. It follows the that the other direction of I is also true: if λ(x),γ(x)∈F[x] satisfy (1)-(3) and gcd(λ(x),γ(x))=1 then (λ(x),γ(x)) is thepair with minimal order for which (1)-(3) holds.

Proof.

I. If there was g(x)∈F[x] such that g(x)|λ(x) and g(x)|γ(x) anddeg(g(x))>0 then g(0)≠0 and hence we would have g(0)·(λ(x)/g(x))·b(x),g(0)·(γ(x)/g(x))(mod x^(N)) and contradiction to the minimality of λ(x).Thus gcd(λ(x),γ(x))=1.Next, it holds that b(x)=γ(x)/λ(x) (mod x^(N)) and b(x)=ω(x)/σ(x) (modx^(N)). Therefore:

γ(x)/λ(x)=ω(x)/τ(x)(mod x ^(N)),

implying:

γ(x)·σ(x)=ω(x)·λ(x)(mod x ^(N)),

and therefore by (3):

γ(x)·σ(x)=ω(x)·λ(x).

Since (λ(x),γ(x))=1 it follows that λ(x)|σ(x). Let c(x)=λ(x)/σ(x), itthen holds that c(0)=1 and:

γ(x)·λ(x)·c(x)=ω(x)·λ(x) that is: γ(x)·c(x)=ω(x). ♦

II. Here we assume X′(x)=γ(x) and σ′(x)=ω(x). Since σ(x)=λ(x)·c(x) thenσ′(x)=λ′(x)·c(x)+λ(x)·c′(x) thus ω(x)=γ(x)·c(x)+λ(x)·c′(x) implying that

λ(x)·c′(x)=0, that is c′(x)=0.

Claim: for p(x)∈F[x], if p′(x)=0 then p(x)=q(x)² for some q(x)∈F[x].

Proof: put

p(x)=Σ_(0≤i≤n) a _(i) ·x ^(i) then p′(x)=Σ_(1≤i≤n, i odd) α_(i) ·x′^(i-1).

It follows from p′(x)=0 that:

p(x)=Σ_(0≤i≤n,i even) α_(i) ·x ^(i),

thus:

p(x)=(Σ_(0≤i≤n,i even)(a _(i))^(1/2) ·x ^(i/2))² ♭

2.2 Polynomial Divisions for Key Equations Solutions—BCH Generalization

Lemma 9. Take N≥1 σ(x), λ(x)∈F[x], σ(0)=λ(0)=1 and b(x)=Σ_(0≤k≤N-1)b_(k)x^(k)∈F[x]\{0} and suppose:

λ(x)·b(x)=λ′(x)(mod x ^(N)) and σ(x)·b(x)=σ′(x)(mod x ^(N))  (1)

N≥deg(λ(x))+deg(σ(x))  (2)

σ(x)|λ(x)  (3)

Then there exists ω(x)∈F[x], such that ω(0)=1 and λ(x)=ω(x)²·σ(x).Proof. Let K be an extension field of F that contains all λ(x) roots andall σ(x) roots. Represent λ(x) and σ(x) by:

λ(x)=Π_(1≤j≤s)(1−x·α _(j))^(r(j)) and σ(x)=Π_(1≤j≤s′)(1−x·α′_(j))^(r′(j)),  (4)

where α₁, . . . , α_(s)∈K* are mutually different and r(j)≥1. Likewiseα′₁, . . . , α′_(s′)∈K* are mutually different and r′(j)≥1. Define A tobe the symmetric difference of {α_(j):1≤j≤s, r(j) is odd} and{α′_(j):1≤j≤s′, r′(j) is odd}. It follows from lemma 2 that for 0≤k≤N−1:

Σ_(1≤j≤s,r(j) is odd) α_(j) ^(k+1) =b _(k)=Σ_(1≤j≤s′,r′(j) is odd)α′_(j) ^(k+1).

That is,

0=Σ_(1≤j≤s,r(j) is odd) α_(j) ^(k+1)+Σ_(1≤j≤s′,r′(j) is odd) α′_(j)^(k+1)=Σ_(β∈A)β^(k+1).

If A≠Ø we get a contradiction since this yields linear dependency of thecolumns of a N×|A| Vandermonde matrix where |A|≤s+s′≤N. Thus A=Ø andhence s=s′ and:

{α_(j):1≤j≤s, r(j) is odd}={α′_(j):1≤j≤s′, r′(j) is odd}.

Define

f(x)=Π_(1≤j≤s,r(j) is odd)(1−x·α _(j)).

By the above, there are polynomials g(x) and h(x) in F[x] such thatg(0)=h(0)=1 and:

λ(x)=(g(x))² ·f(x) and σ(x)=(h(x))² ·f(x).  (5)

Since σ(x)|λ(x) then h(x)|g(x). Define ω(x)=g(x)/h(x) then ω(0)=1 andω(x)²·σ(x)=λ(x).♦

2.3 Continuation Principle for Reed-Solomon (RS)

Lemma 10. Take N≥1 λ(x), γ(x), b(x)∈F[x], λ(0)=1,b(x)=Σ_(0≤k≤N-1)b_(k)x^(k), λ(x)=E_(0≤k≤τ) λ_(k)x^(k) and suppose:

λ(x)·b(x)=γ(x)(mod x ^(N)).  (1)

deg(γ(x))<τ<N.  (2)

It then holds for every L>N that there exists unique {b_(k):N<k≤L}⊆Fsuch that for

B(x)=τ_(0≤k≤L-1) b _(k) x ^(k):  (3)

λ(x)·B(x)=γ(x)(mod x ^(L)).  (4)

Proof. Define for k=N:(L−1) define, inductively, in increasing order:

b _(k)=Σ_(1≤j≤τ)λ_(j) ·b _(k−j).  (5)

Since λ₀=1 it is equivalent to

0=τ_(0≤j≤τ)λ_(j) ·b _(k−j).  (6)

This with (1) is equivalent to (4). The uniqueness follows by inductionsince (6) implies (5).♦

2.4 Continuation Principle for BCH

Lemma 11. Take L>N≥1 λ(x)∈F[x], λ(0)=1 andb(x)=Σ_(0≤k≤N-1)b_(k)x^(k)∈F[x] and suppose that:

λ(x)·b(x)=λ′(x)(mod x ^(N)) and deg(λ(x))<N.  (1)

There then exists {b_(k):N≤k<L}⊆F such that

for odd 0<k<L it holds that b _(k) =b ² _((k-1)/2),  (2)

and for B(x)=Σ_(0≤k≤L-1)b_(k)x^(k):

λ(x)·B(x)=λ′(x)(mod x ^(L)).  (3)

Note that by lemma 9 these {b_(k):N<k≤L} are unique.Proof. Let K be an extension field of F that contains all λ(x) roots.Represent λ(x) by: λ(x)=Π_(1≤j≤s)(1−x·α_(j))^(r(j)) where α₁, . . . ,α_(s)∈K are mutually different and r(j)≥1. By lemma 2 it follows fromλ(x)·b(x)=λ′(x)(mod x^(N)) that:

b _(k)=Σ_(1≤j≤s,r(j) is odd) α_(j) ^(k+1) for all 0≤k≤N−1.

Define now:

b _(k)=Σ_(1≤j≤s,r(j) is odd) α_(j) ^(k+1) for all N≤k≤L−1.

Then (2) follows and by the other direction of lemma 2 that (3) holdsfor B(x)=Σ_(0≤k≤L-1)b_(k)x^(k)♦

2.5 BCH Probability Bound for Key Equations Solutions 1 (PB1)

Lemma 12. Take t>s≥1, and randomly sample an odd-square b(x)=E_(0≤k<2t)b_(k)x^(k)∈F[x], with uniform distribution.I. The probability that there exists separable λ(x)∈F[x] such that:

λ(x)·b(x)=λ′(x)(mod x ^(2t)) and λ(0)=1 and deg(λ(x))=t−s, is upperbounded by q ^(−s).  (1)

II. The probability that there exists any polynomial λ(x)∈F[x] such that(1) holds is upper bounded by q^(−s)/(1−1/q²)

Proof.

I. Recall that the set of odd-square polynomials of degree<2t, is:

V={b(x)=Σ_(0≤k<2t) b _(k) x ^(k) ∈F[x]: for all 0≤k<t−1:b _(k) ² =b_(2k+1)}.

Define now:

W={λ(x)∈F[x]:λ(x) is separable, λ(0)=1, and deg(λ(x))=t−s}.

Note that when b(x)∈V and λ(x)∈W satisfies

λ(x)·b(x)=λ′(x)(mod x ^(2t)),

it also satisfies:

λ(x)·b(x)=λ′(x)(mod x ^(2t-2s)) and λ(0)=1 and deg(λ(x))=t−s.  (2)

For λ(x)∈W and 1≤j≤t, define:

U _(λ(x),j) ={b(x)∈V:λ(x)·b(x)=λ′(x)(mod x ^(2j))}.

By lemma 11 and its proof, U_(λ(x),t) contains exactly one polynomialand by (2) this polynomial is also in U_(λ(x),t-s). On the other hand,it is clear from the definition and from lemma 10 and its proof that,for b(x)=Σ_(0≤k<2t) b_(k)x^(k)∈U_(λ(x),t-s) it holds thatA={b_(k):0≤k<2(t−s)} are uniquely determined by the key equations andB={b_(k):2(t−s)≤k<2t, k is even} can be chosen freely from F andC={b_(k):2(t−s)≤k<2t, k is odd} are uniquely determined by A and Bthrough the equation b_(k) ²=b_(2k+1) (for all 0≤k<t−1). It followsthat:

|U _(λ(x),t-s) |=q ^(s).

Next note that by lemma 11 and its proof for λ₁(x) and λ₂(x)∈W such thatλ₁(x)≠λ₂(x) it holds that

U _(λ) ₁ _((x),t-s)∩λ_(λ) ₂ _((x),t-s)=Ø.

Now, randomly sample b(x) from V with uniform distribution and let R bethe event that b(x) is in:

U≡∪ _(λ(x)∈W) U _(λ(x),t-s).

Then for some λ(x)∈W it holds that, b(x) is an (random) element ofU_(λ(x),t-s). Hence by the above the probability that b(x) is inU_(λ(x),t) is exactly q^(−s). It follow that the probability that thereexists separable λ(x)∈F[x] such that (1) holds is:

Pr(R)·q ^(−s),

which proves I.II. It follows from UL1 above (see section 1.4) that that if λ(x)∈F[x]satisfies (1) above, then there are unique polynomial λ₁(x),u(x)∈F[x],such that:

λ₁(x)·u ²(x)=λ(x) and λ₁(0)=u(0)=1 and λ₁(x) is separable,  (a1)

and

λ₁(x)·b(x)=λ₁′(x)(mod x ^(2t)).  (a2)

Note that u(x) can also be 1. Let j=deg(u(x)), then anddeg(λ₁(x))=t−s−2j. It was proved above that the probability that when wesample b(x) randomly from V, (a2) will be satisfied, is upper bounded byq^(−s-2j). Thus the probability that (1) is satisfied is upper boundedby:

q ^(−s)·(1+q ⁻² +q ⁻⁴+ . . . )=q ^(−s)/(1−1/q ²)♦

2.6 General Polynomial Division Principles Related to RS and BCH

Interpolation. For γ₁, . . . , γ_(N), distinct elements of F*, and forevery p(x)∈F[x] with deg(p(x))<N there exists unique coefficients a₁, .. . , a_(N)∈F such that

p(x)=Σ_(j∈[N]) a _(j)·

(1−x·γ _(i)).

Proof. For j∈[N] define p_(j)(x)=

(1−x·γ_(i)). It is sufficient to prove that {p_(j)(x)}_(j∈[N]) arelinearly independent. Take a₁, . . . , a_(N)∈F and define

p(x)=Σ_(j∈[N]) a _(j) ·p _(j)(x),

it then holds for j∈[N] that

p(1/γ_(i))=a _(j)·

(1−γ_(i)/γ_(j))

Thus if p(x)=0 then a_(j)=0 for all j∈[N].♦Lemma 13. Take N≥1, and any polynomials λ(x),σ(x)∈F[x] (of any degrees)such that λ(0)=1. There then exists a unique polynomial

b(x)=Σ_(0≤k<N) b _(k) x ^(k) ∈F[x]∈F[x] such that

λ(x)·b(x)=σ(x)(mod x ^(N)).  (1)

Proof. We represent λ(x)=1+x·λ₁(x), where λ₁(x)∈F[x]. (1) implies that:

b(x)=σ(x)/(1+x·λ ₁(x))(mod x ^(N))=σ(x)·(Σ_(0≤i≤N-1)(x·λ ₁(x))^(i))(modx ^(N)).♦

Lemma 14. Take any M,N≥1, and λ(x),σ(x)∈F[x] such that λ(x) is separableand λ(0)=1 and M=deg(λ(x))>deg(σ(x)) and let

b(x)=Σ_(0≤k<N) b ^(k) x ^(k) ∈F[x]

be the unique polynomial (see lemma 13) such that:

λ(x)·b(x)=σ(x)(mod x ^(N)).  (1)

Let K be an extension field of F that contains all λ(x) roots, we canrepresent λ(x) by uniquely:

λ(x)=Π_(1≤j≤M)(1−x·α _(j)),

where α₁, . . . , α_(t)∈K* are distinct scalars.There exists a₁, . . . , a_(M)∈F such that

b _(k)=∈_(1≤j≤M) a _(j)·α_(j) ^(k) for all 0≤k<N.  (2)

a₁, . . . , a_(M) are unique when M≤N/2.Proof. By the claim above there exists unique a₁, . . . , a_(M)∈F suchthat

σ(x)=Σ_(j∈[M]) a _(j)·

(1−x·α _(i))

It follows from (1) that:

b(x)=Σ_(j∈[M]) a _(j)/(1−α_(j) ·x)(mod x ^(N))

=Σ_(j∈[M]) a _(j)·Σ_(0≤i≤N-1)(α_(j) ·x)^(i)

=Σ_(0≤i≤N-1)Σ_(j∈[M]) a _(j)·(α_(j) ·x)^(i)

=Σ_(0≤i≤N-1) x ^(i)·Σ_(j∈[M]) a _(j)·α_(j) ^(i).

This proves (2). The uniqueness, when M≤N/2, follows from the sameVandermonde independency argument as for the BCH. ♦

3. Analysis of the Key Equations III 3.1 The Uniqueness and ExpansionLemmas

For N, τ−1 and b(x)∈F[x] we defined:

V _(N,τ,b(x))≡{λ(x)∈F[x]:λ(x)·b(x)=λ′(x)(mod x^(N)),deg(λ(x))≤τ,λ(0)=1}.

Note that for all λ(x)∈V_(N,τ,b(x)) the roots of λ(x) are nonzero. Thefollowing lemma eliminates certain singularities in our solution. Itimplies that if the ELP in V then any polynomial in V that has r rootsin W in common with the ELP is in fact that ELP.

Lemma 15 (Uniqueness Lemma 2 (UL2)). Let t≥1, r≥1 and b(x)∈F[x] isodd-square, b(x)=Σ_(0≤k<L)b_(k)x^(k) and suppose thatλ(x),σ(x)∈=V_(2t,t+r,b(x)) wherein λ(x) is separable. Suppose also thatfor some D⊆F*, |D|=r, for every δ∈D that 2(β⁻¹)=σ(β⁻¹)=0. It then holdsthat σ(x)=λ(x).Proof. Let K be an extension field of F that contains all λ(x) roots andall σ(x) roots. We can represent λ(x) and σ(x) by:

λ(x)=Π_(1≤j≤t+r)(1−x·α _(j))

σ(x)=Π_(1≤j≤t′+r)(1−x·β _(j))^(r(j))

Where 0≤t′≤t, r(j)≥1 and α₁, . . . , α_(t+r)∈K* are mutually differentand β₁, . . . , β_(t′+r)∈K* are mutually different. Note that D⊆{α₁, . .. , α_(t+r)} and D⊆{β₁, . . . , β_(t′+r)}. Thus we can assume withoutloss of generality that α_(i)=β_(i)∈D for i∈[r]. Let B={i∈[r]:r_(j) iseven} and b=|B|. Note that t′≤t−b.

By lemma 2 for all 0≤k≤2t−1:

Σ_(1≤j≤t+r)α_(j) ^(k+1) =b _(k)=Σ_(1≤j≤t′+r,r(j) is odd) β_(j) ^(k+1).

Thus for every 0≤k≤2t−1:

Σ_(1≤j≤t+r)α_(j) ^(k+1)+Σ_(1≤j≤t′+r,r(j) is odd) β_(j) ^(k+1)=0,

that is,

Σ_(1≤j≤r,r(j) is even) α_(j) ^(k+1)+Σ_(r+1≤j≤t+r)α_(j)^(k+1)+Σ_(r+1≤j≤t′+r,r(j)) is odd β_(j) ^(k+1)=0.

Let A₁={α_(j): j∈B}, A₂={α_(j): r+1≤j≤t+r}, A₃={β_(j): r+1≤j≤t′+r, r(j)is odd}. It then holds that |A₁|=b and |A₂|=t and |A₃|=t′≤t−b.

Thus

|A ₁ |+|A ₂ |+|A ₃ |≤b+t+(t−b)≤2t.

Note that

A ₁ ∩A ₂ =A ₁ ∩A ₃=Ø,

and define

C=A ₁ ∪A ₂ ∪A ₃ \A ₂ ∩A ₃.

Then |C|≤2t and by the above for every 0≤k≤2t−1:

Σ_(γ∈C)γ^(k+1)=0.

If C is not the empty set we get a contradiction since this yieldslinear dependency of the columns of a (2t)×|C| Vandermonde matrix where|C|≤2t. Thus C=Ø and hence A₁=Ø and A₂∪A₃=A₂∩A₃, that is A₂=A₃. Itfollows that λ(x)=σ(x).♦

Recall that the transformation x→x² is 1-1 linear transformation from Fto F over F₂.

Lemma 16 (Expansion Lemma). Let t≥1, r<s≥1 and b(x)∈F[x] is odd-square,b(x)=E_(0≤k<L)b_(k)x^(k) and take λ(x)∈V_(2t,t+r,b(x)) withdeg(λ(x))=t+s. It then holds for every p(x)∈F(x) such that p(0)=1deg(p(x))≤(r−s)/2 and f(x)=p²(x) that f(x)·λ(x)∈V_(2t,t+r,b(x)).Proof. Note that f′(x)=0 and hence for all g(x)∈F[x](f(x)·g(x))′=f(x)·g′(x), thus since

λ(x)·b(x)=λ′(x)(mod x ^(N))

Then

f(x)·λ(x)·b(x)=f(x)·λ′(x)(mod x ^(N))=(f(x)·λ(x))′(mod x ^(N)).

In addition deg(f(x)·λ(x))≤t+r, and (f·λ)(1)=1. Thusf(x)·λ(x)∈V_(2t,t+r,b(x)).

3.2 The Dimension Bound 3 (DB3)

Lemma 17. Let N, τ≥1, b(x)=b(x)=Σ_(0≤k<N)b_(k)x^(k)∈F[x] is odd-square,then, if V_(N,τ,b(x))≠Ø:

Δ≡dim*(V _(N,τ+1,b(x)))−dim*(V _(N,τ,b(x)))≤1.

Proof. Note that the case τ≥N−1 is trivial: if we add to any basis ofV_(N,τ,b(x)), the polynomial λ(x)=x^(t+1) we get a basis ofV_(N,τ+1,b(x)), and hence in this case Δ=1. Assume henceforth thatτ<N−1. A polynomial λ(x)=Σ_(0≤i≤Σ)λ_(i)x^(i)∈F[x] is in V_(N,τ,b(x))iff, λ₀=1 and

Σ_(0≤i≤k)λ_(i) ·b _(k−i)+(k+1)λ_(k+1)=0 for all 0≤k<N (we define γ_(i)=0for i>τ).

Likewise a polynomial λ(x)=Σ_(0≤i≤τ+1)λ_(i)x^(i)∈F[x] is inV_(N,τ+1,b(x)) iff λ₀=1 and

Σ_(0≤i≤k)λ_(i) ·b _(k−i)+(k+1)·λ_(k+1)=0 for all 0≤k<N.

Let δ_(i,k) be the GF(2) Kronecker delta, i.e., for integers i,k:δ_(i,k)=0_(GF(2)) if i=j and δ_(i,k)=1_(GF(2)) if i≠j. Consider thefollowing N row vectors in F^(N+1):

v ₀ =[b ₀,1,0, . . . ,0]

v ₁ =[b ₁ ,b ₀,0, . . . ,0]

v ₂ =[b ₂ ,b ₁ ,b ₁,1, . . . ,0]

v ₃ =[b ₃ ,b ₂ ,b ₁ ,b ₀,0, . . . ,0]

v ₄ =[b ₄ ,b ₃ ,b ₂ ,b ₁ ,b ₀,1,0, . . . ,0]

v ₅ =[b ₅ ,b ₄ ,b ₃ ,b ₂ ,b ₁ ,b ₀,0, . . . ,0]

v ₆ =[b ₆ ,b ₅ ,b4₃ ,b ₃ ,b ₂ ,b ₁ ,b ₀,1,0, . . . ,0]

v _(N−1) =[b _(N−1) ,b _(N−2) ,b _(N−3) , . . . ,b ₂ ,b ₁ ,b ₀],

and let A be the N×N matrix whose rows are v₀, . . . , v_(N−1)respectively. It then holds that a polynomialλ(x)=1+Σ_(1≤i≤τ)λ_(i)x^(i)∈F[x] is in V_(N,τ,b(x)) iff

A·[1,λ₁, . . . ,λ_(τ),0, . . . ,0]=0,

and a polynomial

λ(x)=1+Σ_(1≤i≤τ+1)λ_(i) x ^(i) ∈F[x] is in V _(N,τ+1,b(x)) iff

A·[1,λ₁, . . . ,λ_(t),λ_(t+1),0, . . . ,0]=0.

It follows that dim*(V_(N,τ+1,b(x)))−dim*(V_(N,τ,b(x)))≤1♦As a corollary we get:

Lemma 18 (Dimension Bound 3)

Let τ≥1, s≥1 b(x)∈F[x] is odd-square, b(x)=Σ_(0≤k<N)b_(k)x^(k). Then, ifV_(L,τ,b(x))≠Ø:

dim*(V _(N,τ+s,b(x)))−dim*(V _(N,τ,b(x)))≤s.

3.3 Dimension Bound 4 (DB4) on a Midway Degree ELP

Lemma 19 (Dimension Bound 4). Take t≥r≥r′<r″≥0 and odd-square b(x)∈F[x]and suppose that

(*) there exists λ(x)∈V_(2t+2r′,t+r′,b(x)) that is separable of degreet+r′.

It then holds that:

dim*(V _(2t,t+r′,b(x)))=r′ and dim*(V _(2t,t+r,b(x)))≤r.  I.

Define r*=max{r ₁ :r ₁ ≤r and dim(V _(2t,t+r(1),b(x)))=r ₁}. Thenr′≤r*.  II.

dim*(V _(2t,t+r″,b(x)))≥r″  III.

Proof.

I. By the dimension equality:

dim*(V _(2t,t+r′,b(x)))=r′,

and by DB3

dim*(V _(2t,t+r,b(x)))−dim*(V _(2t,t+r′,b(x)))≤r−r′.

It follows that:

dim*(V _(2t,t+r,b(x)))≤r.

II. Follows from the proof of I.III. and by DB3 dim*(V_(2t,t+r′,b (x)))−dim*(V_(2t,t+r″,b(x)))≤r′−r″,therefore dim*(V_(2t,t+r″,b(x)))≥r″.♦

4. Polynomial Degree Reduction Lemmas, and Probabilistic Bound 4.1Reducing the Key Equations by One Degree

Lemma 20. Take b(x)=Σ_(0≤k<N-1)b_(k)x^(k)∈F[x] and λ(x)∈F[X] withλ(0)=1, and suppose that

λ(x)·b(x)=λ′(x)(mod x ^(N)),  (1)

and that α∈F* is an inverse of a root of λ(x), i.e., (1−α·x)|λ(x).Define

λ*(x)=λ(x)/(1−α·x) and b*(x)=Σ_(0≤k<N-1)(b _(k)+α^(k+1))·x ^(j).

It then holds that:

λ*(x)·b*(x)=λ*′(x)(mod x ^(N)).  (2)

Proof. Note that

b(x)+α/(1−αx)(mod x ^(N))

=b(x)+Σ_(0≤k<∞□)α^(k+1) ·x ^(k) =b*(x)(mod x ^(N))

Thus by (1): λ(x)·b(x)*=(1−α·x)·λ*(x)·(b(x)+α/(1−αx)) (mod x^(N))

=((1−α·x)·λ*(x))′+α·λ*(x)(mod x ^(N))

=((1−α·x)·λ*(x)′+α·λ*(x))+α·λ*(x)(mod x ^(N))=(1−α·x)·λ*(x)′(mod x^(N)).

Therefore, dividing by (1−αx):

λ*(x)·(b(x)+α/(1−αx))=λ*(x)′(mod x ^(N)),

which proves (2).

4.2 Reducing the Key Equation by any Number of Degrees

As a corollary to lemma 20 we get that:Lemma 21. Take s≥1, and b(x)=Σ_(0≤k<N-1)b_(k)x^(k)∈F[x] and λ(x)∈F[x]with λ(0)=1, and suppose that

λ(x)·b(x)=λ′(x)(mod x ^(N)),  (1)

and that α₁, . . . , α_(s)∈F* are mutually different inverses of rootsof λ(x), i.e., (1−α_(i)·x)|λ(x), for i∈[s] & α_(i)≠α_(j) for i,j∈[s]i≠j. Define

λ*(x)=λ(x)/(Π_(i∈[s])(1−α_(i) ·x)) and b*(x)=Σ_(0≤k<N-1)(b_(k)+Σ_(i∈[s])α_(i) ^(k+1))·x ^(j).

It then holds that:

λ*(x)·b*(x)=λ*′(x)(mod x ^(N)).♦  (2)

4.3 BCH Probability Bound for Key Equations Solutions 2 (PB2)

Introduction. Next we arrive at a probabilistic observation. Thefollowing event A is a prototype of an event in the main soft decodingalgorithm, wherein a solution to the key equation turns out to be afalse ELP candidate, and hence requires some additional complexity. Itwill be shown that this event has probability close to q⁻¹ in firstversion and close to q⁻² in a second version. In the second versionthere are an insignificant number of false candidates and consequentlyinsignificant added complexity due to a false alarm that requires aChien search.

Lemma 22. Take t≥r≥1, s>1, and b(x)=Σ_(0≤k<t) b_(k)x^(k)∈F[x]. Fixmutually different α₁, . . . , α_(r+s)∈F*. It holds that the probabilityof the following event, A, is upper bounded by q^(−s)/(1−q⁻²).The event A: There exists λ(x)∈F[x] with λ(0)=1, and deg(λ(x))=t+r suchthat:

λ(x)·b(x)=λ′(x)(mod x ^(2t)), and  (1)

(1−α_(i) ·x)|λ(x), for i∈[r+s] & α_(i)≠α_(j) for i,j∈[r+s]i≠j.  (2)

Proof. Define

λ*(x)=λ(x)/(Π_(i∈[r+s])(1−α_(i) ·x)), and b*(x)=Σ_(0≤k<N-1)(b_(k)+Σ_(i∈[r+s])α_(i) ^(k+1))·x ^(j).

By lemma 21 it holds that:

λ*(x)·b*(x)=λ*′(x)(mod x ^(2t)) and λ*(0)=1.  (3)

Note also that deg(λ*(x))=t−s. It follows from PB1 above that theprobability of this event is upper bounded by q^(−s)/(1−q⁻²).

5. Minimal Monotone Basis of Affine Space of Polynomials and DimensionalSetup 5.1 Minimal Monotone Basis

A series of polynomials {p_(i)(x)}_(1≤i≤s) is called monotone ifdeg(p_(i)(x))<deg(p_(i+1)(x)) for i∈[s−1]. For an s-dimensional subspaceU⊆F[x], A={p_(i)(x)}_(1≤i≤s)⊆F[x] is called monotone basis if A ismonotone and also a basis of U. Note while there can be many monotonebases to U, the sequence {deg(p_(i)(x))}_(1≤i≤s) is unique for the givenU, and is independent of the monotone basis we choose.A={p_(i)(x)}_(1≤i≤s) is called canonic basis of U if every polynomial inA is monic and if for all i∈[s], the coefficient of x^(j) forj=deg(p_(i)(x)) is zero for all p_(a)(x), where a∈[s], a≠i. By [GU]below, the canonic basis is unique. Take p*(x)∈F[x]\U, and define theaffine space W=U+p*(x). B={p_(i)(x)}_(1≤i≤s+1)⊆F[x] is called monotonebasis of W if {p_(i)(x)}_(1≤i≤s) is a monotone basis of U andp_(s+1)(x)∈F[x]\U. B is called minimal monotone basis of W if B ismonotone and deg(p_(s+1)(x)) is minimal among all such bases. Note thatwhen B={p_(i)(x)}_(1≤i≤s+1)⊆F[x] is a minimal monotone basis of W, thendeg(p_(s+1)(x)) is not in {deg(p_(i)(x))}_(1≤i≤s), and thereforedeg(p_(s+1)(x))=min{deg(p(x)):p(x)∈W}≡μ. On the other hand if p(x)∈U anddeg(p(x))=μ and {p_(i)(x)}_(1≤i≤s) is any monotone basis of U then forp_(s+1)(x)=p(x), it holds that {p_(i)(x)}_(1≤i≤s+1) is a minimalmonotone basis of W.

5.2 Main Dimensional Setup for the Algorithm

Take t≥r≥1 and odd-square b(x)∈F[x] and set V≡V_(2t,t+r,b(x)). By thedimension equality, if there exists a separable σ(x)∈V such thatdeg(σ(x))=t+r, then:

(*)dim*(V)=r.

In general, given b(x) and r we cannot know in advance if such σ(x)exist, before operating the proceeding algorithm. However, owing to DB4II (see section 3.3, above), (*) is the only case of interest for theensuing algorithm. Thus let {λ_(i)(x)}_(1≤i≤r+1)⊆F[x] be a minimalmonotone basis of V. Note that we can always find a minimal monotonebasis to V by solving the associated linear equations, using Gaussianelimination. Let μ=deg(λ_(r+1)(x)). As mentioned above

μ=min{deg(λ(x)): λ(x)∈V}. In fact V _(2t,μ,b(x))={λ_(r+1)(x)} and for1≤j:

if j<μ:V_(2t,j,b(x))=Ø;

if j≥μV_(2t,j,b(x))≠Ø.

1. A digital electronic circuit tangibly embodying a program ofinstructions executed by the digital electronic circuit to performmethod steps for Bose-Chaudhuri-Hocquenghem (BCH) soft error decoding,comprising the steps of; receiving a codeword x through a digitalelectronic communication channel, wherein the received codeword x hasτ=t+r errors for some r≥1, wherein t=(d−1)/2 and d is a minimal distanceof a BCH code; computing a minimal monotone basis{λ_(i)(x)}_(1≤i≤r+1)⊆F[x] of an affine spaceV={λ(x)∈F[x]:λ(x)·S(x)=λ′(x)(mod x^(2t)), deg(λ(x)≤t+r}, wherein λ(x) isan error locator polynomial, S(x) is a syndrome, and F[x]=GF(q) whereinq=2^(m) for m>1; computing a matrix A≡(λ_(j)(β_(i)))_(i∈[w],j∈[r+1]),wherein W={β₁, . . . , β_(w)} is a set of weak bits in x; processing forevery subset W«⊆W by retrieving from memory a set W″=R(W′), computingB_(W′) by adding one row to B_(W″) and performing Gaussian eliminationoperations on B_(W′), wherein R(W′) is reliability probabilities of thebits in W′; and wherein when a first r′ columns of B_(W′) are atranspose of a systematic matrix and deg(λ(x))=t+r′, wherein 1≤r′≤r,performing: computing u(x)=gcd(λ(x),λ′(x)), wherein λ′(x) is aderivative of λ(x); computing λ(Φ\W′) and deducting from it Z_(λ(x),Φ)wherein Z_(λ(x),Φ)={β∈Φ:λ(β)=0}, when u(x) is a scalar in F*; adding apair (λ(x), Z_(λ(x),Φ)) to set a L of all (r′, λ(x), Z_(λ(x),Φ)) suchthat 1≤r′≤r, λ(x)∈V′_(r′), |Z_(λ(x),W)|≥r′−1, and |Z_(λ(x),Φ)|=t+r′,when |Z_(λ(x),Φ)=t+r′; and outputting the set L to the digitalelectronic communication channel.
 2. The method of claim 1, wherein theone row added to B_(W″) is an arbitrary odd-square polynomial in thecodeword x.
 3. The method of claim 1, further comprising forming theerror locating polynomial from coefficients in the set L, and flippingchannel hard decisions at error locations found in the receivedcodeword.
 4. The method of claim 1, wherein λ(x)∈V_(r′) is unique andλ(β)=0 for every β∈W′, when the first r′ columns of B_(W′) are atranspose of a systematic matrix.
 5. The method of claim 1, furthercomprising terminating the processing of W′ when deg(u(x))≥1.
 6. Themethod of claim 1, further comprising terminating the processing of W′when the first r′ columns of B_(W′) are not a transpose of a systematicmatrix or deg(λ(x))≠t+r′.
 7. The method of claim 1, further comprising,before computing u(x)=gcd(λ(x),λ′(x)), computing, for every r≥ρ≥r′+2 anda pair (W₁, λ₁(x)) such that λ(x)∈V′_(ρ) and W₁⊆W with |W₁|=ρ+1, whereinλ₁(x)∈V_(ρ) is a unique polynomial such that λ₁(W₁)=0, λ₁′(β) for everyβ in W₁.
 8. The method of claim 5, further comprising terminating theprocessing of W₁ when for any β in W₁, λ₁′(β)=0.
 9. A non-transitoryprogram storage device readable by a computer, tangibly embodying aprogram of instructions executed by the computer to perform method stepsfor a Bose-Chaudhuri-Hocquenghem (BCH) soft error decoding, comprisingthe steps of: receiving a codeword x through a digital electroniccommunication channel, wherein the received codeword x has τ=t+r errorsfor some r≥1, wherein t=(d−1)/2 and d is a minimal distance of a BCHcode; performing error correction on the codeword to generate acorrected codeword; and outputting data included in the correctedcodeword to the digital electronic communication channel, whereinperforming the error correction comprises computing a minimal monotonebasis {λ_(i)(x)}_(1≤i≤r+1)⊆F[x] of an affine spaceV={λ(x)∈F[x]:λ(x)·S(x)=λ′(x)(mod x^(2t)), λ(0)=1, deg(λ(x)≤t+r}, whereinλ(x) is an error locator polynomial, S(x) is a syndrome, and F[x]=GF(q)wherein q=2^(m) for m>1; computing a matrixA≡(λ_(j)(β_(i)))_(i∈[w],j∈[r+1]), wherein W={β₁, . . . , β_(w)} is a setof weak bits in x; constructing a submatrix of r+1 rows from submatrices of r+1 rows of the subsets of A such that the last column is alinear combination of the other columns; forming a candidate errorlocating polynomial using coefficients of the minimal monotone basisthat result from the constructed submatrix; performing a fast Chiensearch wherein the candidate error locating polynomial is verified; andflipping channel hard decision at error locations found in the candidateerror locating polynomial and returning the decoded codeword x.
 10. Thecomputer-readable program storage device of claim 9, whereinconstructing a submatrix of r+1 rows from sub matrices of r+1 rows ofthe subsets of A such that the last column is a linear combination ofthe other columns comprises: processing for every subset W′⊆W byretrieving from memory a set W″=R(W′), computing B_(W′) by adding onerow to B_(W″) and performing Gaussian elimination operations on B_(W′),wherein R(W′) is reliability probabilities of the bits in W′; whereinwhen a first r′ columns of B_(W′) are a transpose of a systematic matrixand deg(λ(x))=t+r′, wherein 1≤r′≤r, performing: computing u(x)=gcd(λ(x),λ′(x)), wherein λ′(x) is a derivative of λ(x); computing λ(Φ\W′) anddeducting from it Z_(λ(x),Φ) wherein Z_(λ(x),Φ)={β∈Φ: λ(β)=−0}, whenu(x) is a scalar in F*; adding a pair (λ(x), Z_(λ(x),Φ)) to set a L ofall (r′, λ(x), Z_(λ(x),Φ)) such that 1≤r′≤r, λ(x)∈V′_(r′),|Z_(λ(x)m/w)|≥r′+1, and |Z_(λ(x),Φ)|=t+r′, when |Z_(λ(x),Φ)|=t+r′; andoutputting the set L.
 11. The computer-readable program storage deviceof claim 10, wherein the one row added to B_(W″) is an arbitraryodd-square polynomial in the codeword x.
 12. The computer-readableprogram storage device of claim 10, wherein λ(x)∈V_(r′) is unique andλ(β)=0 for every β∈W′, when the first r′ columns of B_(W′) are atranspose of a systematic matrix.
 13. The computer-readable programstorage device of claim 10, the method further comprising terminatingthe processing of W′ when deg(u(x))≥1.
 14. The computer-readable programstorage device of claim 10, the method further comprising terminatingthe processing of W′ when the first r′ columns of B_(W′) are not atranspose of a systematic matrix or deg(λ(x))≠t+r′.
 15. Thecomputer-readable program storage device of claim 10, the method furthercomprising, before computing u(x)=gcd(λ(x),λ′(x)), computing, for everyr≥ρ≥r′+2 and a pair (W₁, λ₁(x)) such that λ(x)∈V′_(ρ) and W₁⊆W with|W₁|=ρ+1, wherein λ₁(x)∈V_(ρ) is a unique polynomial such that λ₁(W₁)=0,λ₁′(β) for every β in W₁.
 16. The computer-readable program storagedevice of claim 15, the method further comprising terminating theprocessing of W₁ when for any β in W₁, λ₁′(β)=0.
 17. A computermemory-based product, comprising: a memory; and a digital circuittangibly embodying a program of instructions executed by the computer toperform a method for a Bose-Chaudhuri-Hocquenghem (BCH) soft errordecoding, wherein the method comprises the steps of: receiving acodeword x through a digital electronic communication channel, whereinthe received codeword x has τ=t+r errors for some r≥1, wherein t=(d−1)/2and d is a minimal distance of a BCH code; performing error correctionon the codeword to generate a corrected codeword; and outputting dataincluded in the corrected codeword to the digital electroniccommunication channel, wherein performing the error correction comprisescomputing a minimal monotone basis {λ_(j)(x)}_(1≤i≤r+1)⊆F[x] of anaffine space V={λ(x)∈F[x]:λ(x)·S(x)=λ′(x)(mod x^(2t)), λ(0)=1,deg(λ(x)≤t+r}, wherein λ(x) is an error locator polynomial, S(x) is asyndrome, and F[x]=GF(q) wherein q=2^(m) for m>1; computing a matrixA≡(λ_(j)(β_(i)))_(i∈[w],j∈[r+1]), wherein W={β₁, . . . , β_(w)} is a setof weak bits in x; processing for every subset W′⊆W by retrieving frommemory a set W″=R(W′), computing B_(W′) by adding one row to B_(W″) andperforming Gaussian elimination operations on B_(W′), wherein R(W′) isreliability probabilities of the bits in W′; wherein when a first r′columns of B_(W′) are a transpose of a systematic matrix anddeg(λ(x))=t+r′, wherein 1≤r′≤r, performing: computing u(x)=gcd(λ(x),λ′(x)), wherein λ′(x) is a derivative of λ(x); computing λ(Φ\W′) anddeducting from it Z_(λ(x),Φ) wherein Z_(λ(x),Φ)={β∈Φ: λ(β)=0}, when u(x)is a scalar in F*; adding a pair (λ(x), Z_(λ(x),Φ)) to set a L of all(r′, λ(x), Z_(λ(x),Φ)) such that 1≤r′≤r, λ(x)∈V′_(r′),|Z_(λ(x),W)|≥r′+1, and |Z_(λ(x),Φ)|=t+r′, when |Z_(λ(x),Φ)|=t+r′; andoutputting the set L.
 18. The computer memory-based product of claim 17,wherein the memory is at least one of a solid-state drive, a universalflash storage, or a DRAM.